Health Insurance Portability (HIPAA) Compliance

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996. It has gained notoriety for establishing regulatory standards around patient data security and privacy. Just recently, however, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) significantly has ramped its HIPAA audit program, with an increased focus on risk assessments.

29 MILLION

Overview:

Any organization maintaining or transmitting electronic protected health information, known commonly as ePHI, must comply with HIPAA. This includes business associates, which are contractors and subcontractors that perform services on behalf of a health insurance provider. ePHI is defined as "identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual."

HIPAA features three components related to data protection: the Security Rule, the Privacy Rule and the Breach Notification Rule. Each one is encompassed by the overarching Omnibus Rule, which took effect in 2013 and ushers in enforcement of business associates for the first time. The requirements of the Omnibus Rule were mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009 as part of the economic stimulus bill.

While the move from paper records to electronic records within medical and health care organizations vastly improves the patient experience, the risk to security and privacy increases. Breaches - whether they are caused by theft, unauthorized access, human error or external attacks - are rising year over year within the medical and health care industries, according to the Identity Theft Resource Center, which tracks reports of data-loss incidents.

Security Rule

This rule dictates the administrative, physical, technical controls necessary to secure electronic protected health information (ePHI), whether it is created, maintained, stored or in transit. Among the requirements: Covered entities and business associates must conduct risk assessments and prevent against unauthorized access.

Privacy Rule

This rule institutes safeguards for the control of personal health information, no matter its format: oral, written or electronic. Broadly, it sets limits for the disclosure of patient information without their consent and spells out the rights patients have over their data.

Breach Notification Rule

This rule orders HIPAA-covered entities and their business associates, in the event of a data breach involving ePHI, to notify affected individuals, the secretary of the U.S. Health & Human Services Department (HHS) and, in some cases, prominent media outlets – unless they can prove there is a low risk of compromise based on a risk assessment.

Consequences:

The Office of Civil rights (OCR), within HHS, has received more than 85,000 HIPAA-related complaints since 2003. More than 30,000 of those have warranted an investigation, some 66 percent of which resulted in corrective action being required. And that number is certain to rise. A newly released electronic complaint portal is expected to nearly double the number of legitimate complaints from around 10,000 per year to about 18,000.

In 2012, the OCR launched the Audit Pilot Program, with the initial round consisting of 115 audits of health care providers, health plans and health care clearinghouses – collectively meant to represent a broad sampling of the industry. Going forward, however, every covered entity or business associate is eligible for an audit.

OCR investigations may result in penalties, which greatly vary and are determined by the date of the violation, whether the covered entity knew, or should have known, about the violation and whether the violation was due to willful neglect.

The OCR may choose to reduce a penalty if the failure to comply is due to a reasonable cause and/or the penalty would be excessive given the nature and extent of non-compliance. A penalty will not be imposed if:

Failure to comply was not due to willful neglect and was corrected during a 30-day period after the entity knew, or should have known, about the violation.

The U.S. Department of Justice already imposed a criminal penalty for the failure to comply.

Solutions:

Trustwave provides a comprehensive portfolio that can help organizations of any size respond to HIPAA regulations. We are ideally suited to help support a compliance program centered on the administrative, physical and technical requirements of HIPAA.

Plan and Prepare

Conducting a HIPAA Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. Trustwave helps you find gaps that may exist between your current security posture and HIPAA requirements. The customizable assessments, scaled individually for covered entities and business associates, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.

Address Gaps and Vulnerabilities

HIPAA requires covered entities and their business associations to deploy technical controls to prepare for audits and protect sensitive ePHI, whether it is being stored or transmitted. Some of the ways we can help you include:

Network Access Control
Ensures managed and unmanaged devices connecting to the network comply with policies and do not introduce malware.

Web Application Firewall
Protects web applications against external attackers who may use vulnerabilities, such as SQL injection, to steal patient information.

SIEM
Helps you gain broad visibility of threats to your network and improve your compliance process through logging, monitoring, and analysis of events.

Security Awareness Education
Instructs your employees and contractors to understand the threat of social engineering and follow best practices for security, including password management and the safe use of web and social media tools.

Automate and Manage

TrustKeeper Compliance Manager helps you to centrally automate and manage controls, policies and procedures across multiple compliance frameworks, including HIPAA. Compliance Manager is delivered through our cloud-based management portal TrustKeeper, which provides a real-time view into the status of your compliance and security programs and offers access to all of your managed services. Through one easy-to-use dashboard, you can submit support requests, see event history, run reports and manage your account at any time.